| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
databases/phpmyadmin security update
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.96
- databases/phpmyadmin/distinfo 1.57
---
Module Name: pkgsrc
Committed By: tron
Date: Fri Dec 23 08:07:44 UTC 2011
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Update "phpmyadmin" package to version 3.4.9. Changes since 3.4.8:
- bug #3442028 [edit] Inline editing enum fields with null shows
no dropdown
- bug #3442004 [interface] DB suggestion not correct for user with
underscore
- bug #3438420 [core] Magic quotes removed in PHP 5.4
- bug #3398788 [session] No feedback when result is empty
(signon auth_type)
- bug #3384035 [display] Problems regarding ShowTooltipAliasTB
- bug #3306875 [edit] Can't rename a database that contains views
- bug #3452506 [edit] Unable to move tables with triggers
- bug #3449659 [navi] Fast filter broken with table tree
- bug #3448485 [GUI] Firefox favicon frameset regression
- [core] Better compatibility with mysql extension
- [security] Self-XSS on export options (export server/database/table),
see PMASA-2011-20
- [security] Self-XSS in setup (host parameter), see PMASA-2011-19
|
|
databases/phpmyadmin: security update
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.95
- databases/phpmyadmin/distinfo 1.56
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Fri Dec 2 23:39:30 UTC 2011
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Update "phpmyadmin" package to version 3.4.8. Changes since 3.4.7.1:
- bug #3425230 [interface] enum data split at space char (more space to edi=
t)
- bug #3426840 [interface] ENUM/SET editor can't handle commas in values
- bug #3427256 [interface] no links to browse/empty views and tables
- bug #3430377 [interface] Deleted search results remain visible
- bug #3428627 [import] ODS import ignores memory limits
- bug #3426836 [interface] Visual column separation
- bug #3428065 [parser] TRUE not recognized by parser
+ patch #3433770 [config] Make location of php-gettext configurable
- patch #3430291 [import] Handle conflicts in some open_basedir situations
- bug #3431427 [display] Dropdown results - setting NULL does not work
- patch #3428764 [edit] Inline edit on multi-server configuration
- patch #3437354 [core] Notice: Array to string conversion in PHP 5.4
- [interface] When ShowTooltipAliasTB is true, VIEW is wrongly shown as the
view name in main panel db Structure page
- bug #3439292 [core] Fail to synchronize column with name of keyword
- bug #3425156 [interface] Add column after drop
- [interface] Avoid showing the password in phpinfo()'s output
- bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
- bug #3407235 [interface] Entering the key through a lookup window does no=
t reset NULL
- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
- [security] Self-XSS on database names (Operations/rename), see PMASA-2011=
-18
- [security] Self-XSS on column type (Create index), see PMASA-2011-18
- [security] Self-XSS on column type (table Search), see PMASA-2011-18
- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
To generate a diff of this commit:
cvs rdiff -u -r1.94 -r1.95 pkgsrc/databases/phpmyadmin/Makefile
cvs rdiff -u -r1.55 -r1.56 pkgsrc/databases/phpmyadmin/distinfo
|
|
databases/phpmyadmin security update
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.93-1.94
- databases/phpmyadmin/distinfo 1.54-1.55
---
Module Name: pkgsrc
Committed By: tron
Date: Mon Oct 24 07:14:48 UTC 2011
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Update "phpmyadmin" package to version 3.4.7. Changes since version 3.4.6:
- bug #3418610 [interface] Links in navigation when
$cfg['MainPageIconic'] = false
- bug #3418849 [interface] Inline edit shows dropdowns even after closing
- bug [view] View renaming did not work
- bug [navi] Wrong icon for view (MySQL 5.5)
- bug #3420229 [doc] Missing documentation section
- bug #3423725 [pdf] Broken PDF file when exporting database to PDF
- [core] Allow to set language in URL
- bug #3425184 [doc] Fix links to PHP documentation
- bug #3426031 [export] Export to bzip2 is not working
---
Module Name: pkgsrc
Committed By: tron
Date: Sun Nov 13 09:10:25 UTC 2011
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Updatep "phpmyadmin" package to version 3.4.7.1. Changes since 3.4.7:
- [security] Fixed possible local file inclusion in XML import (CVE-2011-4107).
|
|
databases/phpmyadmin security update
Revisions pulled up:
- databases/phpmyadmin/Makefile 1.92
- databases/phpmyadmin/distinfo 1.53
---
Module Name: pkgsrc
Committed By: tron
Date: Tue Oct 18 14:58:28 UTC 2011
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile distinfo
Log Message:
Update "phpmyadmin" package to version 3.4.6. Changes since version 3.4.5:
Welcome to phpMyAdmin 3.4.6, a bugfix and minor security release.
Please refer to the upcoming PMASA-2011-15 and -16 announcements on
http://www.phpmyadmin.net/home_page/security/.
|
|
- bug #3375325 [interface] Page list in navigation frame looks odd
- bug #3313235 [interface] Error div misplaced
- bug #3374802 [interface] Comment on a column breaks inline editing
- patch #3383711 [display] Order by a column in a view doesn't work in
some cases
- bug #3386434 [interface] Add missing space to server status
- [core] Remove library PHPExcel, due to license issues
- [export] Remove native Excel export modules (xls and xlsx formats)
- [import] Remove native Excel import modules (xls and xlsx formats)
- bug #3392920 [edit] BLOB emptied after editing another column
- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14
- [security] Fixed XSS with db/table/column names, see PMASA-2011-14
|
|
- bug #3323060 [parser] SQL parser breaks AJAX requests if query has
unclosed quotes
- bug #3323101 [parser] Invalid escape sequence in SQL parser
- bug #3348995 [config] $cfg['Export']['asfile'] set to false does not
select asText option
- bug #3340151 [export] Working SQL query exports error page
- bug #3353649 [interface] "Create an index on X columns" form not validated
- bug #3350790 [interface] JS error in Table->Structure->Index->Edit
- bug #3353811 [interface] Info message has "error" class
- bug #3357837 [interface] TABbing through a NULL field in the inline mode
resets NULL
- remove version number in /setup
- bug #3367993 [usability] Missing "Generate Password" button
- bug #3363221 [display] Missing Server Parameter on inline sql query
- bug #3367986 [navi] Drop field -> lost active table
- remove misleading comment on the "Rename database" interface
- bug #3374374 [interface] Fix footnote for inexact count while browsing
- bug #3372807 [interface] Fix security warning link in setup
- bug #3374347 [display] Backquotes in normal text on import page
- bug #3358750 [core] With Suhosin, urls are too long in edit links
- [security] Missing sanitization on the table, column and index names leads
to XSS vulnerabilities, see PMASA-2011-13
|
|
This is major feature update which requires at least PHP 5.2.0 and
MySQL 5.0. It features a new user interface and uses MySQL for
authentication and access control.
The update was necessary as "phpmyadmin" 2.11 is no longer supported:
http://sourceforge.net/news/?group_id=23067&id=301992
|
|
This version fixes the script insertion reported in CVE-2011-0987.
|
|
This version fixes the information leak reported in PMASA-2011-1.
|
|
CVE-2010-4481 taken from the phpMyAdmin GIT repository.
Thanks a lot to Tim Zingelman for pointing out that the fixes had
finally been made available.
|
|
Fix XSS vulnerability reported in PMASA-2010-8 (CVE-2010-4329?).
|
|
- [core] Fix broken cleanup of $_GET
- bug #3054458 [core] Fixed displaying number of rows.
|
|
Changes since version 2.11.10:
- [setup] Fixed output sanitizing in setup script, see PMASA-2010-4 for
more details.
- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
|
|
converters/php-mbstring
databases/php-mysqli
net/php-soap
textproc/php-dom
textproc/php-xsl
time/php-calendar
No functional change should be done.
|
|
Changes since version 2.11.9.6:
- [core] safer handling of temporary files with open_basedir
(thanks to Thijs Kinkhorst)
- [core] do not automatically set and create TempDir, it might lead to
security issue (thanks to Thijs Kinkhorst)
- [setup] avoid usage of (un)serialize, what might be unsafe in some cases
This fixes the security vulnerabilities reported in PMASA-2010-1,
PMASA-2010-2 and PMASA-2010-3.
|
|
- [security] XSS and SQL injection, thanks to Herman van Rink
|
|
|
|
code execution vulnerability reported in PMASA-2009-3 / CVE-2009-1151.
|
|
- [security] possible XSRF on several pages
|
|
little sensitive when it comes to removing non-existent files.
|
|
- [security] XSS in MSIE using NUL byte
- [security] XSS in a Designer component
|
|
- bug #2031221 [auth] Links to version number on login screen
- bug #2032707 [core] PMA does not start if ini_set() is disabled
- bug #2004915 [bookmarks] Saved queries greater than 1000 chars
not displayed
- bug #2037381 [export] Export type "replace" does not work
- bug #2037375 [export] DROP PROCEDURE needs IF EXISTS
- bug #2045512 [export] Numbers in Excel export
+ [lang] Norwegian UTF-8 original file remerged
- bug #2074250 [parser] Undefined variable seen_from
- [security] Code execution vulnerability
This update fixes the security vulnerability reported in PMASA-2008-7.
|
|
- patch #1987593 [interface] Table list pagination in navi
- bug #1989081 [profiling] Profiling causes query to be executed again
(really causes a problem in case of INSERT/UPDATE)
- bug #1990342 [import] SQL file import very slow on Windows
- bug [XHTML] problem with tabindex and radio fields
- bug #1971221 [interface] tabindex not set correctly
- bug [views] VIEW name created via the GUI was not protected
with backquotes
- bug #1989813 [interface] Deleting multiple views (space in name)
- bug #1992628 [parser] SQL parser removes essential space
- bug #1989281 [export] CSV for MS Excel incorrect escaping of
double quotes
- bug #1959855 [interface] Font size option problem when no
config file
- bug #1982489 [relation] Relationship view should check for changes
- bug [history] Do not save too big queries in history
- [security] Do not show version info on login screen
- bug #2018595 [import] Potential data loss on import resubmit
- patch #2020630 [export] Safari and timedate
- bug #2022182 [import, export] Import/Export fails because of
Mac files
- [security] protection against cross-frame scripting and
new directive AllowThirdPartyFraming
- [security] possible XSS during setup
- [interface] revert language changing problem introduced
with 2.11.7.1
- small fix for notice about "lang"
This update fixes the security vulnerability reported in PMASA-2008-6.
|
|
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- (2.11.7.1) [security] XSRF/CSRF by manipulating the db,
convcharset and collation_connection parameters,
thanks to YGN Ethical Hacker Group
This update fixes the security vulnerability reported in PMASA-2008-5.
|
|
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
|
|
- bug #1903724 [interface] Displaying of very large queries
in error message
- bug #1905711 [compatibility] Functions deprecated in PHP 5.3:
is_a() and get_magic_quotes_gpc()
- bug [lang] catalan wrong accented characters
- bug #1893034 [Export] SET NAMES for importing with command-line
client
+ [lang] Russian update
- bug #1910485 [core] Unsetting the whitelist during the loop
- bug #1906980 [Export] Import of VIEWs fails if temp table exists
- bug #1812763 [Copy] Table copy when server is in ANSI_QUOTES
sql_mode
- bug #1918531 [compatibility] Navigation isn't w3.org valid
- bug #1926357 [data] BIT defaults displayed incorrectly
- patch #1930057 [auth] colon in password prevents HTTP login
on CGI/IIS
- patch #1929553 [lang] Don't output BOM character in Swedish
language file
- patch #1895796 [lang] Typo in Japanese lang files
- bug #1935652 [auth] Access denied (show warning about mcrypt
on login page)
- bug #1906983 [export] Reimport of FUNCTION fails
- bug #1919808 [operations] Renaming a database fails to handle
functions
- bug #1934401 [core] Cannot force a language
- bug #1944077 [core] Config file containing a BOM
- bug #1947189 [scripts] Missing head tag in scripts/signon.php
+ [lang] Romanian update
|
|
|
|
|
|
|
|
security problem reported in PMASA-2008-3 (CVE-2008-1924).
|
|
|
|
The new version fixes a credentials disclosure on shared hosts via
session data reported in security announcement PMASA-2008-2.
|
|
The new version fixes several bugs including the cross site scripting
vulnerability reported in PMASA-2007-8 and the SQL inject vulnerability
report in PMASA-2008-1.
|
|
their files via a custom do-install target.
|
|
directory. Problems noted by Stoned Elipot and Martti Kuparinen in
private e-mail. Bump package revision because of these changes.
|
|
directory. Problems noted by Stoned Elipot and Martti Kuparinen in
private e-mail. Bump package revision because of these changes.
|
|
created anymore. Pointed out by Geert Hendrickx.
|
|
Change since version 2.10.2:
- creating VIEWs from query results
- managing triggers, procedures and functions
- supports MySQL 5.0.37 query profiling
- improved interface for servers hosting thousands of databases and tables.
- security fixes for PMASA-2007-5, PMASA-2007-6 and PMASA-2007-7
|
|
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
|
|
The new version fixes several bugs and addresses the security
vulerability reported in PMASA-2007-4.
|
|
|
|
- Fix for PMASA-2007-3 (PHP Executor Deep Recursion Stack Overflow)
- New graphical relation manager, called Designer, available in
database view
|
|
Changes since version 2.9.1.1 (literal quote from the home page):
Version 2.9.2-rc1 contains some security fixes (an advisory will be
published when releasing 2.9.2) and other fixes.
|
|
1.) Don't use hardcoded group "wheel". Use "APACHE_GROUP" instead which
defaults to "www".
2.) Create user and group if necessary. This fixces PR pkg/35141 by
Wouter Schoot.
3.) Fix path to Perl interpreter in helper script "convertcfg.pl" and
add missing dependence on Perl package.
Bump package revision because of these fixes.
|
|
Changes since version 2.9.0.3:
- Security fixes
- Wrong import when ;; is at buffer boundary
- Duplicate id for checkbox on table Operations page
- Better behavior on the Add new fields page
- Export: csv/cvs typo
- Renaming a db containing a view
- Automated timestamp values
- Import: correctly fail if file is too short
- Default font family on original theme
|
|
XSS vulnerability reported in PMASA-2006-6.
|
|
Changes since version 2.8.2.4:
- Fixed for security vulnerability reported in PMASA-2006-5
- New export options
- A lot of bug fixes
|
|
This release fixes some bugs found since version 2.8.2 hasn been released.
This update was provided by Martin Wilke in PR pkg/34314.
|
|
Changes since version 2.8.0.4:
- XSS vulnerability from requests not containing a token
- Reenable XML option in Export
- State in documentation that your browser must accept cookies
- CVS link was broken on main page
- Adding a user with password containing a backslash
- Removing a default value
- Setup script: compatibility with security tokens
- Setup script: detection of writable config
- Reading the database list with MySQL wildcards
|
|
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
|
